ClamsScan Results: Known viruses: 0

capote · August 13, 2022, 4:55am

NethServer Version: 7.9
Antivirus
ClamScan: Engine version: 0.103.7

Hell all,
within my logs I found:
----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.103.7
Scanned directories: 52687
Scanned files: 275278
Infected files: 0
Data scanned: 60239.48 MB
Data read: 120217.95 MB (ratio 0.50:1)
Time: 969.439 sec (16 m 9 s)
Start Date: 2022:08:13 03:35:01
End Date: 2022:08:13 03:51:11

My first view was going to Settings:

If I update the Database manually after them:

Perhaps…: “You are on cool-down until after: 2022-08-13 11:00:40”

Within Antivirus, I activated official signatures.

LOG:

Aug 13 06:31:12 Nethserver.###.de systemd[1]: Starting clamd scanner (rspamd) daemon…
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Received 0 file descriptor(s) from systemd.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: clamd daemon 0.103.7 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64)
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Log file size limited to 1048576 bytes.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Reading databases from /var/lib/clamav
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Not loading PUA signatures.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Bytecode: Security mode set to “TrustSigned”.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Loaded 1 signatures.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: LOCAL: Unix socket file /var/run/clamd@rspamd/clamav
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: LOCAL: Setting connection queue length to 200
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Limits: Global time limit set to 120000 milliseconds.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Limits: Global size limit set to 104857600 bytes.
Aug 13 06:31:12 Nethserver.###.declamd[9596]: Limits: File size limit set to 26214400 bytes.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Limits: Recursion level limit set to 17.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Limits: Files limit set to 10000.
Aug 13 06:31:12 Nethserver.###.de systemd[1]: Started clamd scanner (rspamd) daemon.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Limits: MaxHTMLNormalize limit set to 10485760 bytes.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Limits: MaxScriptNormalize limit set to 5242880 bytes.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Limits: MaxPartitions limit set to 50.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Limits: MaxIconsPE limit set to 100.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Limits: MaxRecHWP3 limit set to 16.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Limits: PCREMatchLimit limit set to 100000.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Limits: PCRERecMatchLimit limit set to 2000.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Limits: PCREMaxFileSize limit set to 26214400.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Archive support enabled.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: AlertExceedsMax heuristic detection disabled.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Heuristic alerts enabled.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Portable Executable support enabled.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: ELF support enabled.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Mail files support enabled.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: OLE2 support enabled.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: PDF support enabled.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: SWF support enabled.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: HTML support enabled.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: XMLDOCS support enabled.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: HWP3 support enabled.
Aug 13 06:31:12 Nethserver.###.de clamd[9596]: Self checking every 600 seconds.
Aug 13 06:41:12 Nethserver.###.de clamd[9596]: SelfCheck: Database status OK.

What is happened there? Why “Known viruses: 0”?

best regards, MArko

mrmarkuz · August 13, 2022, 7:08pm

Maybe there were too many update requests from your IP/subnet. It should work again after the cool-down.

It seems the virus database wasn’t downloaded.

https://www.reddit.com/r/linuxquestions/comments/pl58h4/unable_to_update_clamav_definitions_constantly/

capote · August 14, 2022, 2:02pm

I have also diagnosed the same finding. However, I could not answer the question why the signatures could not be updated. The current IP lock, because I had tried too often to initiate a manual download, could not be the cause. At least the logs show that no current signatures were downloaded for weeks. Possibly never, otherwise the number would not be zero but greater than zero, just not updated.

Anyway, today the situation is different.

Yesterday:

------------------------------------
	Sat Aug 13 01:56:01 2022
Scanned Folder: /
----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.103.7
Scanned directories: 19179
Scanned files: 117926
Infected files: 0
Data scanned: 12112.14 MB
Data read: 5991.26 MB (ratio 2.02:1)
Time: 194.891 sec (3 m 14 s)
Start Date: 2022:08:13 01:56:01
End Date:   2022:08:13 01:59:16

Today:

------------------------------------
	Sun Aug 14 09:09:34 2022
Scanned Folder: /
----------- SCAN SUMMARY -----------
Known viruses: 8638540
Engine version: 0.103.7
Scanned directories: 52697
Scanned files: 276197
Infected files: 0
Data scanned: 63648.98 MB
Data read: 119604.88 MB (ratio 0.53:1)
Time: 5186.084 sec (86 m 26 s)
Start Date: 2022:08:14 09:09:34
End Date:   2022:08:14 10:36:00

However, one thing has remained the same. I can’t explain why signatures were never automatically loaded before and why it suddenly works now.

Sincerely, Marko

capote · August 14, 2022, 2:05pm

on another server it is even more strange

------------------------------------
	Sat Aug 13 06:39:22 2022
Scanned Folder: //etc/suricata/rules/ET-emerging-web_client.rules: Html.Exploit.CVE_2018_8373-6654754-1 FOUND
/tmp/emerging.rules.tar.gz: Html.Exploit.CVE_2018_8373-6654754-1 FOUND

----------- SCAN SUMMARY -----------
**Known viruses: 8638434**
Engine version: 0.103.7
Scanned directories: 19181
Scanned files: 117754
Infected files: 2
Data scanned: 12031.71 MB
Data read: 5915.44 MB (ratio 2.03:1)
Time: 1882.406 sec (31 m 22 s)
Start Date: 2022:08:13 06:39:22
End Date:   2022:08:13 07:10:45

------------------------------------
	Sun Aug 14 09:06:49 2022
Scanned Folder: /
----------- SCAN SUMMARY -----------
**Known viruses: 92**
Engine version: 0.103.7
Scanned directories: 19191
Scanned files: 117815
Infected files: 0
Data scanned: 11493.14 MB
Data read: 5944.46 MB (ratio 1.93:1)
Time: 451.537 sec (7 m 31 s)
Start Date: 2022:08:14 09:06:49
End Date:   2022:08:14 09:14:21

mrmarkuz · August 14, 2022, 7:18pm

Suricata (IPS) is installed on the second server and clamscan incorrectly detects a suricata rule file as virus (false positive). I recommend to exclude the file/folder from being scanned in the Clamscan settings.

capote · August 14, 2022, 8:08pm

Yes, I know. But why yesterday Known viruses: 8638434 and today only Known viruses: 92